Solve congruent equation likes N = p*q c1 = (2*p + 3*q)**e1 mod N c2 = (5*p + 7*q)**e2 mod N

Question

Here is a CTF crypto challenge likes(its write up is public on https://ctftime.org/writeup/15438): $$N = p*q\\ c1 = (2*p + 3*q)^{e_{1}} mod N\\ c2 = (5*p + 7*q)^{e_{2}} mod N$$ After i transform these: $$(c^{e_2}_1)\equiv (2p)^{e_1e_2}+(3q)^{e_1e_2}\pmod{N}\\ (c^{e_1}_2)\equiv (5p)^{e_1e_2}+(7q)^{e_1e_2}\pmod{N}$$ After product $5^{e_1e_2},2^{e_1e_2}$ to cancel p from two equations,I can solve this problem until get equation liks: $$(c^{e_2}_1)*(5)^{e_1e_2}-(c^{e_1})*(2)^{e_1e_2}\equiv q^{e_1e_2}*(15^{e_1e_2}-14^{e_1e_2})\pmod{N}$$ which means divides the difference between left side and right side.

But i don't know why p or q can get from: $$gcd((c^{e_2}_1)*(5)^{e_1e_2}-(c^{e_1})*(2)^{e_1e_2},N)$$

Could anyone explain the knowledge or why ?

Answer 1

The question has shown $${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}\equiv q^{e_1e_2}(15^{e_1e_2}-14^{e_1e_2})\pmod{pq}$$ If a congruence holds modulo a product of two integers, then it holds modulo each integer. Thus the congruence holds modulo $q$.

The right hand side of the congruence is a multiple of $q$. Therefore ${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}$ is a multiple of $q$.

$N$ also is a multiple of $q$. Therefore, $q$ is a divisor of ${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}$ and of $N$.

The only divisors of $N$ are $1$, $p$, $q$, $N$, and $q$ divides only the later two ones. Therefore, $\gcd\left({c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2},N\right)$ is either $q$ or $N$. The later would hold only if $p$ divided ${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}$, which has no particular reason to hold and thus is very unlikely.

Thus in all likelihood $\gcd\left({c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2},N\right)$ is $q$. We can compute ${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}$, or more efficiently ${c_1}^{e_2}\times5^{e_1e_2}-{c_2}^{e_1}\times2^{e_1e_2}\bmod N$, then take it's GCD with $N$ by the Euclidean algorithm, and factorize $N$.